System and method of secure data entry

ABSTRACT

A computational device having a user interface is disclosed, the user interface enables a user to securely enter data into the computational device. In particular, the user interface may include a user input portion and a user output portion. The user input portion may be partitioned into a number of input zones, each having a data value associated therewith that when engaged by a user causes the data value associated with the engaged input zone to be provided as input to the computational device.

FIELD OF THE DISCLOSURE

The present disclosure is generally directed toward data entry into userdevices and particularly toward mechanisms for securing the same.

BACKGROUND

Secure and private entry of data has always been a major concern insystems intended to control access to a resource or a facility. In manysuch systems such as those used in the physical and logical accesscontrol industries, restricted access is provided to a select group ofusers via a numeric keypad alone or a keypad incorporated into a reader.These keypads typically have a set of numbers plus special symbols(characters) that are exposed to the user side for data entry. Thesecharacters are connected to an electronic device with intelligence torecognize the characters entered (decode) and compare them to the coderequired to provide entrance to the system. Sometimes this device doesnot actually process the entered code and instead, transmits this toanother device to actually perform the comparison. The users interactwith the system by pressing the appropriate characters that represent anaccess code or password specifically chosen for that system. Examples ofsuch keypads are those employed at credit card terminals, burglar alarmkeypads, and access control keypads.

Traditional keypads have static configurations. They generally consistof numbered buttons ranging from 0 through 9 and an “*” and a “#” buttonmuch like a typical telephone keypad. Such numbers exist in a commonpattern and hence the user or anyone with knowledge of the pattern cansimply enter the code without looking at numbers on the keypad. Whilethis is particularly useful for users with sight impairments, itnegatively impacts the security of the system because patterns can bededuced more easily than the codes themselves.

One example of the utilization of such keypads is in parkingapplications such as entrance to a parking facility or a residentialgated community which have gated entrances secured with an accesscontrol keypad. To gain entry to the secured area, a user must providethe keypad with a valid a security code. All individuals with permissionto enter the facility are provided with a common security/access codewhich opens the gate and allows entry on to the premises. Usage in whichall individuals have the same password are typically referred to as“common code” systems.

In single common code systems, the numbers or range of possible numbers(i.e., the number of possible combinations) which make up a user'spassword is finite and can be deduced in several ways. A non-authorizeduser may observe a user and the patterns typed in, significantlyreducing the security of the system. Additionally, the non-authorizeduser may acquire the password by analyzing the physical keypads forwear. Wear indicates high utilization and would also significantlynarrow down the range of possibilities. More sophisticated methods ofcompromising such systems include “dusting” the keys or applyingnon-visible material in an attempt to determine which keys comprise thepassword.

In statistical measure, if we assume a typical keypad with digits 0through 9 and an “*” and “#” button, if the access code is four digits,then the probability of guessing the correct code is ( 1/9!*¼!) or 1chance in 157,464. However, assume that the user can reduce the digitsused to the four most commonly utilized digits based on the wear of thekeypad numbers. This probability then reduces to (¼!) or 1 chance in 24.

For these reasons and more, it would be desirable to have an improvedmethod for increasing security of systems accessed utilizing securitykeypads. Additionally, it would be desirable to have such an improvedmethod for increasing security of systems wherein the keypadconfiguration changes automatically after each or a series of userinterfaces.

Some solutions have been proposed to address the above-describedproblem. One common example is referred to as a Hirsch ScramblePad®. Theparticular construction of the Hirsch ScramblePad® is described indetail in one or more of U.S. Pat. Nos. 4,333,090; 4,479,112; and4,644,326; all of which are hereby incorporated herein by reference intheir entirety. The main concept behind the Hirsch ScramblePad® is torandomize the number which is assigned to a given key for every instancea user is required to provide input via the keypad. This means that thesame valid code will not be entered with the same pattern. Rather,different physical keys will need to be depressed to enter the samevalid code at different times. Accordingly, the idea of utilizing avariable keypad addresses many of the security concerns described above.Other mechanisms for securing user input are described, for example, inU.S. Pat. Nos. 4,100,534; 4,221,975; 4,369,973; 4,502,048; 4,806,745;5,949,348; 5,970,146; 6,049,790; 6,317,835; 6,434,702; 6,549,194; and7,479,949; all of which are hereby incorporated herein by reference intheir entirety.

A problem common to all of the above-noted solutions is that they arecomplex and, therefore, very costly to implement. Implementing thesesolutions in many situations becomes cost-prohibitive. Accordingly,there exists a need for a secure yet cost-effective mechanism forsecuring data entries of a user.

SUMMARY

It is, therefore, one aspect of the present disclosure to provide asecure and cost-effective solution for securing data entries of a userin a computational device. In particular, embodiments of the presentdisclosure propose solutions in which the confidentiality of user inputsare protected by a combination of visual data scrambling and off-angleviewing techniques. The proposed solutions can be implemented at afraction of the cost of existing solutions.

In one embodiment of the present disclosure, a user input is providedwhich includes a linear position sensor that is configured to determineif a user's finger is touching the user input as well as the position ofwhere the sensor is being touched. As a user's finger is touching theuser input, the user is required to slide their finger along the userinput in a scrolling motion. As the user scrolls their finger across theuser input and, therefore, across a number of input zones, a user outputdisplays the data value currently corresponding to the input zone wherethe user's finger is located. When the user sees that the desired datavalue is depicted by the user output, the user removes their finger fromthe user input and the data value currently corresponding to the inputzone where the user's finger was last located is provided as a datainput for a computational device. This process can be repeated until theuser has entered the entire password.

When the number of digits in the password is not a fixed number, then wecan add an additional symbol to the set of characters that are displayedas the user slides his finger along the user input device. This symbole.g., “E” for enter, is used as a terminator to indicate that all of thedata has been entered.

Since it is possible that the user has incorrectly entered data, we needto provide a way for the user to clear the previous entries and startagain. This can be accomplished by the use of an additional symbol. Whenthe user slides his finger and this symbol is displayed, e.g., “C” forclear, then the input data is cleared and the process starts again.

The linear input sensor may be comprised of a linear resistor, linearcapacitive element, a full finger biometric sensor, a swipe biometricsensor, and a touch-sensitive screen such as what is used on the AppleiPhone®. This linear sensor may be constructed in a straight line or canbe in shapes or even circular and could even be incorporated into thehandle of a door lock in which the motion is twisting left or right.

One or more additional security mechanisms may be employed to furtherenhance the security with which user inputs are captured. As oneexample, the input zones of the user input may be re-assigned random anddifferent data values for every instance where a user input is to becaptured. As another example, they could be arranged in ascending orderand then descending order. As another example, the size and/orconfiguration of the input zones themselves may be altered for everyinstance where a user input is to be captured. As another example, anumber of different types of user output may be utilized ranging betweena single digit display, a multi-digit display, and a touch-screen thatincorporates the user output into the same area as the user input.

In some embodiments, it may also be possible to capture one or moreparameters (e.g., applied pressure, slide speed, fingerprint, fingersize, etc.) of a user's input. The captured parameters may bemathematically/statistically assessed over a number of valid user inputsand after an appropriate number of valid user inputs have been receivedand the associated parameters have been incorporated into an average (ormean or some other value obtained from a mathematical formula), theaverage of the captured parameters can be compared to the currentparameter and, if different by a certain amount, may be used to detectpotentially suspect user inputs.

It is another aspect of the present disclosure to provide a privacyshielding material over the user output to limit off-axis viewing of theuser output such as 3M Vikuiti™ Light Control Film. For strongeroff-axis viewing protection, the user output may be recessed within thecomputational component and louvers may be utilized.

It is another aspect of the present disclosure to provideinterchangeable snap-in bezels which enable an input mode of thecomputational device to be altered. In one input mode, a scramblingkeypad may be employed where a user is required to slide their fingersin a groove and across a user input device, such as the one of theseveral variations described above, to achieve a user input. In anotherinput mode, a traditional keypad with numbers in standard locationscould be used to achieve user input. In another mode, a gesturing keypadmay be utilized whereby a plurality of intersecting grooves are providedand a user is required to slide their fingers in various patterns acrossthe intersecting grooves to achieve the desired user input.

The present invention will be further understood from the drawings andthe following detailed description. Although this description sets forthspecific details, it is understood that certain embodiments of theinvention may be practiced without these specific details. It is alsounderstood that in some instances, well-known circuits, components andtechniques have not been shown in detail in order to avoid obscuring theunderstanding of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in conjunction with the appendedfigures:

FIG. 1A is a block diagram of an access control system having a firstconfiguration in accordance with embodiments of the present disclosure;

FIG. 1B is a block diagram of an access control system having a secondconfiguration in accordance with embodiments of the present disclosure;

FIG. 2 is a block diagram of a user device in accordance withembodiments of the present disclosure;

FIG. 3 is a block diagram depicting details of a reader/user device inaccordance with embodiments of the present disclosure;

FIG. 4A is a block diagram depicting a first step of securely enteringdata via a user interface in accordance with embodiments of the presentdisclosure;

FIG. 4B is a block diagram depicting a second step of securely enteringdata via a user interface in accordance with embodiments of the presentdisclosure;

FIG. 4C is a block diagram depicting a third step of securely enteringdata via a user interface in accordance with embodiments of the presentdisclosure;

FIG. 4D is a block diagram depicting a fourth step of securely enteringdata via a user interface in accordance with embodiments of the presentdisclosure;

FIG. 5A is a block diagram depicting a first configuration of a userinput in accordance with embodiments of the present disclosure;

FIG. 5B is a block diagram depicting a second configuration of a userinput in accordance with embodiments of the present disclosure;

FIG. 5C is a block diagram depicting a third configuration of a userinput in accordance with embodiments of the present disclosure;

FIG. 5D is a block diagram depicting a fourth configuration of a userinput in accordance with embodiments of the present disclosure;

FIG. 5E is a block diagram depicting a fifth configuration of a userinput in accordance with embodiments of the present disclosure;

FIG. 5F is a block diagram depicting a sixth configuration of a userinput in accordance with embodiments of the present disclosure;

FIG. 6 is a block diagram depicting details of a secure user interfacein accordance with embodiments of the present disclosure;

FIG. 7 is a flow diagram depicting a user input capture method inaccordance with embodiments of the present disclosure; and

FIG. 8 is a flow diagram depicting a user input analysis method inaccordance with embodiments of the present disclosure.

DETAILED DESCRIPTION

The ensuing description provides embodiments only, and is not intendedto limit the scope, applicability, or configuration of the claims.Rather, the ensuing description will provide those skilled in the artwith an enabling description for implementing the described embodiments.It being understood that various changes may be made in the function andarrangement of elements without departing from the spirit and scope ofthe appended claims.

FIGS. 1A and 1B show illustrative embodiments of an access controlsystem 100 in accordance with embodiments of the prior art. Bothconfigurations of the access control system 100 include a reader 104that is generally provided at a strategic location to secure one or moreassets. In some embodiments, the reader 104 is in communication with anetworked device 108 via a first communication link. The firstcommunication link between the reader 104 and networked device 108 maybe established over a secured or unsecured communication network viaTCP/IP, Wi-Fi, Zigbee, Cellular modem, RS485, current loop, and Wiegand.Such a reader 104 is referred to as a networked reader because thereader 104 provides some or all data used in making an access controldecision to the networked device 108. In the embodiment depicted in FIG.1B, the networked device 108 comprises the necessary functionality, inthe form of an authentication module 116, to analyze the data receivedfrom the reader 104 and make an access control decision for the reader104. A control panel is one example of a networked device 108 which istypically used in the access control industry. Other types of networkeddevices 108 include a host computer with or without a web server, aserver providing Software as a Service (SaaS), a cloud-basedapplication, or the like.

After the access control decision has been made at the authenticationmodule 116 of the networked device 108, the networked device 108communicates the results of the decision back to the reader 104, whichcomprises a release mechanism 120 that is enabled to either release oneor more assets if a decision has been made to grant access or maintainsuch assets in a secure state if a decision has been made to denyaccess. For access control applications, the release mechanism 120 istypically a relay whereas in logical access applications, the releasemechanism 120 is realized by software instructions.

In an alternative configuration depicted in FIG. 1A, the releasemechanism 120 may be provided in the networked device 108 and theauthentication module 116 may be provided in the reader 104. In thisconfiguration, the reader 104 may make the access control decisions andreport the results of those decisions to the networked device 108 whichselectively activates the release mechanism 120 depending upon theresults of the decision made by the authentication module 116.

One function of a reader 104 is to control access to certain assets.More specifically, a reader 104 may be positioned at an access point fora given asset (e.g., a door for a room, building, or safe, a computerfor electronic files, and so on). Unless a user provides the reader 104with a valid input via a user interface 112 of the reader 104, theaccess point is maintained in a secure state such that admittance oraccess to the asset is denied. If a user enters a valid input via theuser interface 112, then the reader 104 has the discretion to allow theuser access to the asset and implement various other actionsaccordingly.

Although the reader 104 is depicted as having only a user interface 112,one skilled in the art will appreciate that the reader 104 may beconfigured to read data from an access control credential carried by theuser in addition to receiving user input from the user. A credential isa device that carries evidence of authority, status, rights, and/orentitlement to privileges for a holder of the credential. A credentialis a portable device having memory and a reader interface (i.e., anantenna and Integrated Circuit (IC) chip) which enables the credentialto exchange data with the reader 104, usually via a credential interfaceof the reader 104. One example of a credential is an RFID smartcard thathas data stored thereon allowing a holder of the credential to access anasset protected by a reader 104. Other examples of a machine-readablecredential include, but are not limited to, proximity RFID-based cards,access control cards, credit cards, debit cards, passports,identification cards, key fobs, Near Field Communications (NFC)-enabledcellular phones, Personal Digital Assistants (PDAs), tags, or any otherdevice configurable to emulate a virtual credential.

In embodiments where the reader 104 is configured to receive both userinput via the user interface 112 and credential input from a credentialcarried by the user, the reader 104 is capable of performing dual-factorauthentication by verifying both the validity of user input (i.e.,something that the user knows) as well as the validity of credentialinput (i.e., something that the user has). The reader 104 may also beconfigured to receive biometric input from the user to further enhancethe security of the access control system 100.

As noted above, the networked device 108 may be responsible for makingsome or all of the asset-access decisions based on data received at thereader 104 from the user. In some embodiments, the reader 104 may not beconnected to a networked device 108, in which case the reader 104 isreferred to as a stand-alone reader. Stand-alone readers comprise thedecision-making components necessary to analyze input received from auser and determine, based on the received input, if the user is entitledto access an asset secured by the reader 104. The access control rulesfor entry including time zone, day of week, etc. may be contained in adatabase in the stand-alone reader that is programmable by methodsincluding using the keypad itself, using a PDA or mobile phone via NFC,infrared light, audio, or a wired connection. In some cases, the accesscontrol decision rules may be contained in the machine-readablecredential read at the reader incorporated into the stand-alonedevice/user input combination. Stand-alone readers are generallydesirable in situations where a reader 104 is in an isolated locationand a communication link between the networked device 108 and reader 104is not easily established.

In configurations where the reader 104 is a networked reader, acommunications network may be used to establish the communication linkbetween the reader 104 and networked device 108. Exemplary communicationnetworks may provide bi-directional communication capabilities, whichmay selectively be implemented in a form of wired, wireless, fiber-opticcommunication links, or combinations thereof. Even though thecommunication link between the networked device 108 and reader 104 isdepicted as bi-direction, one skilled in the art can appreciate that thecommunication link may be unidirectional. As one example, the reader 104may utilize the Wiegand protocol to communicate with the networkeddevice 108.

The communication link between the reader 104 and networked device 108may be implemented utilizing buses or other types of device connections.The protocols used to communicate between the networked device 108 andthe reader 104 may include one or more of the TCP/IP protocol, RS 232,RS 485, Current Loop, Power of Ethernet (POE), Bluetooth, Zigbee, GSM,WiFi, and other communication methods and protocols known in the art.

The networked device 108 may be a general-purpose computer adapted formulti-task data processing and suitable for use in a commercial setting.Alternatively, the networked device 108 may be implemented as a hostcomputer or server and the reader 104 can be connected to the hostcomputer via a TCP/IP connection or other type of network connection. Amemory comprising a database of records for the system 100 may beassociated with the networked device 108. The database, although notdepicted, may be integral with or separated from the networked device108 or it may be incorporated into the reader 104. The databasemaintains records associated with the readers 104, users, algorithm(s)for acquiring, decoding, verifying, and modifying data contained in thereaders 104, algorithm(s) for testing authenticity and validity of userinputs, algorithm(s) for implementing actions based on the results ofthese tests, and other needed software programs. Specific configurationsof the networked device 108 are determined based on and compliant withcomputing and interfacing capabilities of the readers 104.

FIG. 2 depicts an exemplary user device 204, which may be equipped witha user interface 112 that is similar or identical to the user interface112 of the reader 104. The user device 204 may correspond to any type ofdevice capable of performing one or more actions based on input receivedat the user interface 112. Although not depicted, the user device 204may also be connected to a communication network and may be configuredto exchange messages with networked devices 108 via the network.Examples of a user device 204 include, without limitation, a computer,laptop, netbook, iPad®, iPod®, iPhone®, mobile/cellular phone,telephone, Personal Digital Assistant (PDA), or the like.

With reference now to FIG. 3, additional details of a reader 104 and/oruser device 204 (collectively referred to hereinafter as a“computational device 104, 204”) will be described in accordance withembodiments of the present invention. The computational device 104, 204may comprise memory 304 that includes a number of instructions 308,modules, and other data structures as well as a processor 336 forexecuting the instructions 308 and other contents of memory 304.

The computational device 104, 204 may also include a communicationinterface 344 which allows the computational device 104, 204 tocommunicate with a networked device 108. Exemplary types ofcommunication interfaces 344 include, without limitation, an RF antennaand driver, an infrared port, a fiberoptics interface, a UniversalSerial Bus (USB) port, an Ethernet port, a serial data port, a paralleldata port, any type of interface which facilitates communications over apacket-based communication network, such as the Internet, and so on.

The computational device 104, 204 may further include a credentialinterface (not depicted) which enables the computational device 104, 204to communication with one, two three, or more different types ofcredentials. The type of credential interface provided on thecomputational device 104, 204 may vary according to the type ofcredential that is in the system 100. In some embodiments, thecredential interface includes one or more of an antenna, an array ofantennas, an infrared port, an optical port, a magnetic stripe reader, abarcode reader or similar machine-vision components, a Near FieldCommunications (NFC) interface, or any other component or collection ofcomponents which enables the computational device 104, 204 tocommunicate with credentials and other portable memory devices. In someembodiments, the credential interface enables the computational device104, 204 to read one or more non-RFID machine-readable credentialsincluding one or more of magnetic stripe cards, bar codes, Wiegandcards, Hollerith, infrared, Dallas 1-wire, and barium ferrite.

In some embodiments, the credential interface and communicationinterface 344 are of the same type (i.e., RF communication interfaces).In some embodiments, the credential interface and communicationinterface 344 are implemented as a single interface. Thus, thecomputational device 104, 204 may be enabled to communicate withcredentials and networked devices 108 by using the same hardwarecomponents.

In addition to a communication interface 344, the computational device104, 204 may include a user interface 112 which facilitates userinteraction between the computational device 104, 204 and a userthereof. As will be discussed in further detail herein, the userinterface 112 may include one or more user inputs, one or more useroutputs, or a combination user input/output. Exemplary user inputsinclude, without limitation, keypads (traditional or laser-projected),buttons, switches, a linear pressure sensor (e.g., linear potentiometerthat is resistive and/or capacitive), a peripheral device such as atouch pad peripheral included as part of a PC or as a separateperipheral connected by, for example, USB, a mouse/trackball wheel, amouse or trackball movement, optical detection technologies, pressuresensitive device, resistive, capacitive touch, electrostatic, ormagnetic screen enabled to detect finger and pen input, rotating doorknob, combination, lock, or the like. Exemplary user outputs include,without limitation, lights, display screens (projection, LCD, LED, OLED,plasma, etc.), individual LED's, seven segment LED display, multi-digitLED display, etc. In some embodiments, the user output may also beprovided with a privacy shielding material, such as 3M's Vituki®product. The privacy shielding material may help ensure that off-axisviewing of the user output is minimized. For an even stronger protectionagainst off-axis viewing, a louver may be utilized which recesses theactual display portion of the user output within a cavity that limitsthe field of view to the display portion. Exemplary combination userinput/outputs may include a touch-screen interface, a multi-touch-screeninterface (i.e., a touch-screen interface adapted to recognize multiplesimultaneous touches, gestures, “pinches”) or any other type ofinterface which is capable of simultaneously displaying a user outputand receiving a user input.

In addition to memory 304, the computational device 104, 204 may alsoinclude processing memory 340, which may be in the form of a RandomlyAccessible Memory (RAM), cache memory, or any other type of memory usedto facilitate efficient processing of instructions 208 by the processor336.

Whereas the processing memory 340 is used to temporarily store dataduring processing tasks, the memory 304 is provided to store permanentinstructions 308 which control the operational behavior of thecomputational device 104, 204. The memory 304 and/or 340 may beimplemented using various types of electronic memory generally includingat least one array of non-volatile memory cells (e.g., ErasableProgrammable Read Only Memory (EPROM) cells or FLASH memory cells, etc.)The memory 304 and/or 340 may also include at least one array of dynamicrandom access memory (DRAM) cells. The various routines and moduleswhich may be included in memory 304 comprise one or more of anauthentication module 312, authentication data 320, a communicationmodule 316, and configuration data 324.

The communication module 316 provides instructions which enable thecomputational device 104, 204 to communicate with other devices. Inparticular, the communication module 316 may comprise message encodingand/or decoding instructions, message encryption and/or decryptioninstructions, compression and/or decompression instructions,trans-coding instructions, and any other known type of instructionswhich facilitate communications over a communications network. Forexample, the communication module 316 may comprise instructions whichenable the computational device 104, 204 to create one or more messagesor communication packets which are appropriately formatted andtransmitted in accordance with a known communication protocol via thecommunication interface 344. Likewise, the communication module 316 mayalso comprise instructions which enable the computational device 104,204 to format messages received over the communication interface 344 forprocessing by various other components of the computational device 104,204.

Another module which may be provided in the instructions 308 is anauthentication module 312 that is capable of receiving data from theuser input portion of the user interface 112, analyzing the receiveddata, and determining if the received data corresponds to valid data. Insome embodiments, the authentication module 312 may refer toauthentication data 320 which is also stored in memory 304. In someembodiments, the authentication data 320 may comprise a list of valid orauthorized credentials and their corresponding credential data.Alternatively, the authentication data 320 may comprise algorithms foranalyzing received data and determining if such data is valid.

Configuration data 324 may also be maintained in memory 304. In someembodiments, the configuration data 324 describes operatingcharacteristics of the computational device 104, 204 such as modelnumber, firmware version(s), software version(s), computational device104, 204 identifier, and other data which describes the computationaldevice 104, 204. The characteristics of computational device 104, 204may be inherent characteristics or provisioned characteristics.

Although not depicted, the memory 304 may also contain heuristicinstructions for detecting attacks on the computational device 104, 204or other components of the access control system 100. Details of acomputational device 104, 204 configured with embedded attack detectionheuristics is further described in U.S. Patent Publication No.2010/0039220 to Davis, the entire contents of which are herebyincorporated herein by reference. Other components of memory 204 mayinclude a User Interface (UI) driver 328 and an operating system 332,which is a high-level application that facilitates interactions betweenvarious other modules and applications in memory 204 and hardwarecomponents of the computational device 104, 204. The UI driver 328 maybe responsible for facilitating operations of the user interface 112. Insome embodiments, the UI driver 328 includes commands for determiningwhen user inputs are received at the user interface 112, identifyingparameters of user inputs received at the user interface 112,conditioning parameters of use inputs received at the user interface 112into data values which can be processed by the modules contained inmemory 304, determining what and when to display data as an output atthe user interface 112, and the like. In other words, the UI driver 328may contain any commands necessary to provide a secure user interface112 as described herein.

The processor 336 may include any general-purpose programmableprocessor, digital signal processor (DSP) or controller for executingapplication programming. Alternatively, the various modules describedherein may be implemented as hardware or firmware rather than softwareand the processor 304 may comprise a specially configured ApplicationSpecific Integrated Circuit (ASIC).

With reference now to FIGS. 4A-D, an exemplary user interface 112 andprocess for securely entering data via the user interface 112 will bedescribed in accordance with at least some embodiments of the presentdisclosure. The process depicted and described enters the simple numbercombination of “639”. As can be appreciated, alphanumeric inputs andmore complicated data values may be utilized and the example depicted inFIGS. 4A-D is merely illustrative of one type of data input which can berealized with the user interface 112 of the present disclosure.

Also, although a user's finger is depicted as providing the input on auser input portion 404, any other type of mechanism may be utilized tointeract with the user input portion 404. For example, the user mayinteract with the user input portion 404 with a stylus, pen, mouse, etc.

The user interface 112 may comprise both a user input portion 404 and aseparate user output portion 408. The user input portion 404 maycomprise a number of input zones 412 a-N, each corresponding to adifferent input value. A user engages the user interface 112 by touchingthe user input portion 404. In some embodiments, the touching of theuser input portion 404 is detected by a pressure-sensitive user inputportion 404. In some embodiments, the user input portion 404 may beconfigured with optics which detects a user's input by taking aplurality of images and determining that the user's finger is engagedwith and moving across the user input portion 404. As the user slidestheir finger across the user input portion 404 in the direction of arrow420, the user input zones 412 a-N are sequentially activated anddeactivated (i.e., the data value corresponding to the input zone 412where the user's finger is currently detected is displayed via the useroutput portion 408), based on detection of the user's finger within aparticular user input zone 412.

In some embodiments, during the first instance of user input depicted inFIG. 4A, the first input zone 412 a may be assigned a first data value,the second input zone 412 b may be assigned a second data value, thethird input zone 412 c may be assigned a third data value, and so on.When the user initially touches the first input zone 412 a, the firstdata value may be displayed via the user output portion 408. Whilesliding, the user's finger transitions from the first input zone 412 ato the second input zone 412 b. Once a greater amount of the user'sfinger area is within the second input zone 412 b instead of the firstinput zone 412 a, the user output portion 408 displays the second datavalue instead of the first data value. The user continues moving theirfinger across the user input portion 404 until they reach the desiredinput zone 416, which corresponds to the data value that the user wantsto enter. Upon reaching the desired input zone 416, the desired datavalue is depicted via the user output portion 408. When the user seesthe desired data value in the user output portion 408, the user releasestheir finger from the user input portion 404 and the data valuecorresponding to the desired input zone 416 is entered as a first datainput. In the example of FIG. 4A, the first data input corresponds tothe data value of 6.

After the first instance of user input, the data values assigned to eachinput zone 412 a-N may be re-assigned to new input zones. Alternatively,each input zone 412 a-N may continue to have the same data valueassigned thereto until a complete data entry has been completed or untilan invalid data entry has been detected. In other words, it may bepossible to re-assign data values to input zones 412 a-N every time anew data input is received, after a complete valid password has beenreceived, after the enter or clear input has been selected, or after anincomplete password has been received.

Moreover, the first data input may be provided from the UI driver 326 tothe authentication module 312 immediately after it has been input by theuser or it may be stored in cache memory until the user selects enter,at which time a series of data inputs is provided to the authenticationmodule 312 for analysis.

Following the first data input, the user may re-engage the user inputportion 404 to provide a second instance of data input as is depicted inFIG. 4B. Although different data values may be assigned to the inputzones 412 a-N, the process for providing the data input is similar tothe first instance of the data input. In particular, the user slidestheir finger across the input zones 412 a-N of the user input portion404 until their finger reaches the desired input zone 416. The user isable to determine that their finger is within the desired input zone 416by monitoring the value displayed via the user output portion 408. Oncethe user's finger is within the desired input zone 416, the userreleases their finger from the user input portion 404 and the data valuecorresponding to the desired input zone 416 is entered as a second datainput. In the example of FIG. 4B, the second data input corresponds tothe data value of 3.

Following the second data input, the user may re-engage the user inputportion 404 to provide a third instance of data input as is depicted inFIG. 4C. Again, the user slides their finger across the input zones 412a-N of the user input portion 404 until their finger reaches the desiredinput zone 416. Once the user's finger is within the desired input zone416, the user releases their finger from the user input portion 404 andthe data value corresponding to the desired input zone 416 is entered asa third data input. In the example of FIG. 4C, the third data inputcorresponds to the data value of 9.

Assuming that a complete and valid data entry is “639”, the user thenhas to engage the user input portion 404 to command the UI driver 328 toenter the complete data entry and provide the complete data entry to theauthentication module 312. The enter command is entered in a similarfashion as the first, second, and third data inputs were entered. Inparticular, the user slides their finger across the input zones 412 a-Nof the user input portion 404 until their finger reaches the desiredinput zone 416. As can be seen in FIG. 4D, in this step of the process,the enter command is assigned to the desired input zone 416 instead of adata value. The user releases their finger from the user input portion404 after they determine that their finger is within the desired inputzone 416 and the enter command is provided to the UI driver 328, therebycausing the UI driver 328 to send the complete data entry to theauthentication module 312 for analysis.

In some embodiments, however, if the code to be entered is a fixednumber of digits, then the active implementation of an enter input isnot required. In particular, the E key is not displayed and, instead,the data entry is complete after the last digit has been entered.

If the complete data entry corresponds to a valid user input, then theauthentication module 312 may determine that the user is allowed toaccess whatever asset is being secured by the computational device 104,204. In response to making such a determination, the computationaldevice 104, 204 may allow the user access to whatever asset waspreviously secured.

With reference now to FIGS. 5A-F, a number of possible configurations ofa user input portion 404 of a user interface 112 will be described inaccordance with embodiments of the present disclosure. As discussedabove, each input zone 412 a-N may be assigned a different data value.The data value-to-input zone assignment may be configured to lastpermanently, for a predetermined amount of time, until a predeterminedevent occurs, and so on. As one example, each input zone 412 a-N mayhave new data values assigned thereto after every instance of userinput. As another example, the data values assigned to the input zones412 a-N may be flipped-flopped after every instance of user input orafter every instance of a completed data entry. As another example, thedata values assigned to the input zones 412 a-N may vary between numericdata values and then alphabetical/character data values after everyinstance of user input. As another example, the spaces between inputzones 412 a-N or relative sizes of input zones 412 a-N may be alteredafter every instance of user input or after every instance of acompleted data entry. An another example, the data values assigned tothe input zones 412 a-N may be randomly re-assigned after every instanceof user input or after every instance of a completed data entry.Combinations of the above examples may also be implemented.

By providing a user input portion 404 with the ability to have the datavalues assigned to the input zones 412 a-N according to a number ofdifferent configurations, a more secure user interface 112 can beprovided. In particular, changing the data values assigned to the inputzones 412 a-N helps ensure that a particular pattern cannot be discernedas corresponding to a valid input since the same values will likely beinput with different patterns. The exemplary configurations of the datavalue-to-input zone assignments represent only a few of the manypossible configurations (whether specifically discussed or not) may beutilized by the user interface 112.

Referring initially to FIG. 5A, a first exemplary configuration of auser input portion 404 is depicted where the data values are assignedincrementally to adjacent input zones 412 starting at the left andmoving to the right.

With reference to FIG. 5B, a second exemplary configuration of a userinput portion 404 is depicted where the data values are assigneddecrementally to adjacent input zones 412 starting at the left andmoving to the right.

With reference to FIG. 5C, a third exemplary configuration of a userinput portion 404 is depicted where the data values are assignedrandomly to the input zones 412. In the first, second, and thirdexemplary configurations, the enter command is assigned to the Nth inputzone 412N. As can be appreciated, certain configurations may allow theenter command to be assigned to some input zone 412 that is surroundedby at least two input zones 412.

With reference to FIG. 5D, a fourth exemplary configuration of a userinput portion 404 is depicted where the data values are assignedrandomly to the input zones 412 and the enter command is assigned to thefirst input zone 412 a.

With reference to FIG. 5E, a fifth exemplary configuration of a userinput portion 404 is depicted where the size of each input zone 412varies from one input zone to the next. The alteration of size/area ofinput zones 412 may be coupled with other configurations describedherein to further enhance the security of the user interface 112.

With reference to FIG. 5F, a sixth exemplary configuration of a userinput portion 404 is depicted where data values are assigned to all buttwo of the input zones 412 a-N, the enter command is assigned to thefirst input zone 412 a, and a clear command is assigned to the Nth inputzone 412N. In some embodiments, the clear command can be used to deletethe last data value that was entered by a user or to delete a completedata entry.

With reference now to FIG. 6, exemplary components of a user interface112 are depicted in accordance with at least some embodiments of thepresent disclosure. The components used to construct the user interface112 provide both a secure mechanism for capturing user input as well asa cost-effective alternative to the Hirsch ScramblePad® and similarsecure data-entry technologies. In some embodiments, the user interface112 may comprise a controller 604 which includes one or more links to auser input 608, one or more links to a user output 612, and one or morelinks to a communication network. In some embodiments, the controller604 corresponds to a microcontroller and may be implemented as part orall of the processor 336.

The user input 608 may correspond to a linear potentiometer (resistiveor capacitive) which is configured to detect pressure applied theretoand a location of such pressure and provide an output electrical signalto the controller 604 in response thereto. The controller 604 may beconfigured to analyze the electrical signals received from the userinput 608, determine a data value associated with such electricalsignals, and send a command to the user output 612 which causes the useroutput 612 to display the data values so that they can be perceived bythe user. In some embodiments, the user output 612 corresponds to asingle or multiple digit seven segment LED/LCD display and thecontroller 604 may comprise an 8 bit or higher analog-to-digitalconverter which converts analog signals received from the user input 608into digital signals for transmission to the user output 612.

The connection to the communication network may be implemented as anytype of known communication interfaces 344. Examples of suchcommunication interfaces 344 include, without limitation, a Wiegandport, an RS485 output, an Ethernet port, a USB port, and the like.

With reference now to FIG. 7, an exemplary user input capture methodwill be described in accordance with at least some embodiments of thepresent disclosure. The method begins at step 704 and continues whenuser interaction with the user interface 112 is detected (step 708). Insome embodiments, detection of user activity at the user interface 112may trigger the initiation of the user input capture method.Additionally, the way in which user activity is detected at the userinterface 112 will depend on the type of user interface 112 beingutilized. In particular, if a user interface 112 is employed thatincludes a pressure-sensitive user input portion 404, then detection ofuser activity occurs when pressure is detected as being applied at aconcentrated point or area within the user input portion 404. If a userinterface 112 is employed that includes an optical user input portion404, then detection of user activity occurs when one or more images arecaptured which indicate that a user has touched the user input portion404.

Assuming that a pressure-sensitive user input portion 404 is beingutilized, the method continues with the controller 604 or UI driver 328determining the data value corresponding to the currently selected inputzone 412 and causing the determined data value to be displayed via auser output portion 408 of the user interface 112 (step 712).

Thereafter, the controller 604 or UI driver 328 determines if therelease of pressure has been detected (step 716). The amount of pressurerelease required to affirmatively answer the query of step 716 may varydepending upon tolerances of the user input portion 404, environmentalfactors, and the like. In some embodiments, a complete release ofpressure (i.e., a reading of ambient pressure only) may be required tosatisfy the query of step 716. Alternatively, the pressure may only needto be decreased by a predetermined amount or by a predeterminedpercentage of the maximum pressure detected during step 708.

If the release of pressure has not been detected, then the methodreturns to step 712 and a new data value is determined and displayed ifthe user scrolls their finger into a new input zone 412 of the userinput portion 404.

If, however, the query of step 716 is answered affirmatively, then themethod continues with the controller 604 or UI driver 328 determining ifthe release occurred within a defined input zone 412 having a data valueor command associated therewith (step 728). If not, then an errormessage is displayed via the user output portion 408 (step 724).Thereafter, the determination is made as to whether the user inputcapture method is done (step 728). This query may be answered negativelyif user input is again detected at the user input portion 404 within apredetermined amount of time after the error message was displayed.Conversely, the query of step 728 may be answered affirmatively if apredetermined number of errors occurred within a predetermined amount oftime or if some other user input was detected which suggests that thecomputational device 104, 204 is under a potential attack. For example,if the user engages a panic input (e.g., by applying a pressure at theuser input portion 404 that is greater than a predetermined pressurethreshold), then the query of step 728 may be answered affirmatively. Ifthe query of step 728 is answered affirmatively, then the user inputcapture method is concluded (step 732). In some embodiments, anadditional step of temporarily disabling some or all functionality ofthe computational device 104, 204 may be performed if it is determinedthat the computational device 104, 204 is potentially under attack.

If the query of step 728 is answered negatively, then the method returnsto step 708.

Referring back to step 720, if the user releases the user input portion404 within an input zone having a data value assigned thereto, then thecontroller 604 or UI driver 328 determines the data value currentlycorresponding to the input zone 412 where the pressure was last detected(e.g., where the release was detected) (step 736).

The data value determined during the first iteration of step 736 maycorrespond to a first data input. The method continues by determiningwhether or not there will be more data entry before data is transmittedto the authentication module 312 for analysis (step 740). If noadditional data capture is necessary (e.g., the user has selected theenter command or data inputs are provided to the authentication module312 or networked device 108 sequentially rather than as a string of datavalues), then the first data input is transmitted to the authenticationmodule 312 for analysis (step 744). Alternatively, the first data inputmay be transmitted to a networked device 108 for analysis. Thereafter,the method continues to step 728 to determine whether additional datainputs are being received or whether the user input capture method iscomplete.

Referring back to step 740, if additional data capture is necessary(e.g., the user has not selected the enter command or data inputs areprovided to the authentication module 312 or networked device 108 as astring of data values rather than sequential inputs), then the firstdata input is stored in a cache memory for later transmission with otherdata inputs that are yet to be captured (step 748). Thereafter, themethod returns to step 708 to begin the process of capturing the seconddata input, third data input, and so on until the user selects the entercommand or until a predetermined number of data inputs have beencaptured.

With reference now to FIG. 8, an exemplary user input analysis methodwill be described in accordance with at least some embodiments of thepresent disclosure. The method begins when user input is received at theuser interface 112 (step 804). Thereafter, the method may proceed downone of two paths depending upon a number of considerations. One pathcorresponds to a process of determining a user input parameter average(or other result obtained from a different mathematical formula),whereas the other path corresponds to a process of analyzing thecurrently received user input based on a historical user input parameteraverage to determine if the currently received user input is suspect.The analysis process is generally not performed until a predeterminedand suitable number of user inputs have been received such that a userinput parameter average is determined and the standard deviation of theuser input parameters used to calculate the average is less than apredetermined threshold value.

If the method continues only with the process of determining a userinput parameter average, then one or more parameters of interest aredetermined for the recently received user input (step 808). Exemplaryparameters of interest which may be determined in this step includeamount of pressure applied to the user input portion 404, size offinger, fingerprints or fingerprint characteristics, slide speed, and soon. The determined parameter(s) of interest determined for the recentlyreceived user input are then used to determine an average of theparameter(s) of interest (step 812). The average values may be based onall user inputs received or based only on valid user inputs received.

Referring back to step 804, if the method continues with the process ofdetermining user input validity (i.e., the analysis process), then themethod continues with the authentication module 312 comparing one ormore parameters of interest from the recently received user input withaverages of the corresponding one or more parameters of interest (step816). Based on the comparison of step 816, the authentication module 312determines if the parameter(s) of interest for the recently receiveduser input are valid (step 820). In this step, the authentication module312 may determine that user inputs are invalid or suspect if they have aparameter of interest which deviates from the average by more than apredetermined threshold value (i.e., by either exceeding or fallingbelow the average).

Accordingly, if the query of step 820 is answered negatively, then thecomputational device 104, 204 may perform one or more actions which areconsistent with determining that an invalid or suspect user input hasbeen received (step 824). Such actions may include slowing down the rateat which entries are accepted by the computational device 104, 204,temporarily disabling functionality of the computational device 104,204, permanently disabling functionality of the computational device104, 204, transmitting a message to security personnel, sounding analarm, combinations thereof, or the like.

If, however, the query of step 820 is answered affirmatively, then themethod may continue with the process of determining a user inputparameter average.

A number of extensions and alternative implementations are considered tobe within the scope of the present disclosure. As one example, a linearpotentiometer is not the only type of user input portion 404 that can beutilized to achieve a cost-effective but secure user interface 112.Rather, the use of a touch screen configured to simultaneously detectand analyze multiple inputs can be utilized. In such an implementationin addition to sliding motions, different gesturing motions, such aspinching, could be utilized to select individual digits. In particular,if a pinching gesture is utilized to achieve a user input, then therelative distance between the user's two fingers may be correlated tothe input zones 412 described above. A very small distance (e.g., 1-5mm) between the user's two fingers may correspond to the Nth input zone412N whereas a very larger distance (e.g., 10-20 cm) between the user'stwo fingers may correspond to the first input zone 412 a. All otheraspects of the present disclosure may be performed in substantially thesame way as described. Specifically, there could be separate pinch zonesfor each data value in a multi-digit entry.

As another possible extension contemplated by the present disclosure,the electronics of the user interface 112 including the controller 604,the connections between the controller 604, the user input 608, and theuser output 612 may be potted in a potting material, thereby making theuser interface 112 substantially weather resistant.

As another possible extension contemplated by the present disclosure, apressure sensitive device could be used to select data inputs wheredifferent magnitudes of applied pressure correspond to the input zones412 described above. A number of different magnitudes of appliedpressure may have different data values assigned thereto. As the userpresses the user input portion 404 harder, the different data values maybe displayed via the user output 408. When the desired data value isdisplayed via the user output 408, the user may completely release theuser input portion 404 and the data value corresponding to thelast-displayed data value is selected as the data input. The value maycorrespond to a digit, an enter command, a clear command, or a series ofinput commands.

The use of a pressure sensor may also enable additional inputs withoutrequiring the user to slide their finger across the user input portion404. In particular, a user may press the user input portion 404 extra“hard” (e.g., applies a pressure greater than a predetermined amount ofpressure) to signify: (1) that data entry is complete; (2) that one ormore previous entries should be erased; or (3) that the user is underduress and security personnel should be notified.

In another possible extension contemplated by the present disclosure, areserved code can be utilized to enter a “programming mode” where theconfiguration data 324 can be changed. For example, the configurationdata 324 may define how configurations of the user input portion 404 arescrambled between user inputs, the number of digits to be displayed viathe user output portion 408, data output formats, the programming modecode, a list of one or more input passwords that will unlock access tothe asset, etc. During the programming mode, one or more of theseoperating characteristics can be modified.

In another possible extension, a biometric swipe sensor may be designedto utilize some or all of the concepts disclosed herein. Specifically,the biometric swipe sensor can be configured to detect partial swipes ofa user's finger and correlate different amounts of partial swipes to adifferent input value. During such partial swipes, the user's fingerprint may also be analyzed as a second factor of authentication.

In the foregoing description, for the purposes of illustration, methodswere described in a particular order. It should be appreciated that inalternate embodiments, the methods may be performed in a different orderthan that described. It should also be appreciated that the methodsdescribed above may be performed by hardware components or may beembodied in sequences of machine-executable instructions, which may beused to cause a machine, such as a general-purpose or special-purposeprocessor or logic circuits programmed with the instructions to performthe methods. These machine-executable instructions may be stored on oneor more machine readable mediums, such as CD-ROMs or other type ofoptical disks, floppy diskettes, ROMs, RAMs, EPROMs, EEPROMs, SIMs,SAMs, magnetic or optical cards, flash memory, or other types ofmachine-readable mediums suitable for storing electronic instructions.Alternatively, the methods may be performed by a combination of hardwareand software.

Specific details were given in the description to provide a thoroughunderstanding of the embodiments. However, it will be understood by oneof ordinary skill in the art that the embodiments may be practicedwithout these specific details. For example, circuits may be shown inblock diagrams in order not to obscure the embodiments in unnecessarydetail. In other instances, well-known circuits, processes, algorithms,structures, and techniques may be shown without unnecessary detail inorder to avoid obscuring the embodiments.

Also, it is noted that the embodiments were described as a process whichis depicted as a flowchart, a flow diagram, a data flow diagram, astructure diagram, or a block diagram. Although a flowchart may describethe operations as a sequential process, many of the operations can beperformed in parallel or concurrently. In addition, the order of theoperations may be re-arranged. A process is terminated when itsoperations are completed, but could have additional steps not includedin the figure. A process may correspond to a method, a function, aprocedure, a subroutine, a subprogram, etc. When a process correspondsto a function, its termination corresponds to a return of the functionto the calling function or the main function.

Furthermore, embodiments may be implemented by hardware, software,firmware, middleware, microcode, hardware description languages, or anycombination thereof. When implemented in software, firmware, middlewareor microcode, the program code or code segments to perform the necessarytasks may be stored in a machine readable medium such as storage medium.A processor(s) may perform the necessary tasks. A code segment mayrepresent a procedure, a function, a subprogram, a program, a routine, asubroutine, a module, a software package, a class, or any combination ofinstructions, data structures, or program statements. A code segment maybe coupled to another code segment or a hardware circuit by passingand/or receiving information, data, arguments, parameters, or memorycontents. Information, arguments, parameters, data, etc. may be passed,forwarded, or transmitted via any suitable means including memorysharing, message passing, token passing, network transmission, etc.

While illustrative embodiments of the disclosure have been described indetail herein, it is to be understood that the inventive concepts may beotherwise variously embodied and employed, and that the appended claimsare intended to be construed to include such variations, except aslimited by the prior art.

What is claimed is:
 1. A method of securely receiving user input at acomputational device, the method comprising: detecting user engagementof a user input at a first input zone of the user input; determining afirst data value corresponding to the first input zone; displaying thefirst data value to the user via a user output; detecting userengagement of the user input at a second input zone of the user input;determining a second data value corresponding to the second input zone;displaying the second data value to the user via the user output;determining that the user has disengaged the user input at the secondinput zone; and in response to determining that the user has disengagedthe user input at the second input zone, conditioning the second datavalue as input data for the computational device.
 2. The method of claim1, further comprising: transmitting the input data to an authenticationmodule for comparison with authentication data.
 3. The method of claim2, wherein the authentication module is contained within thecomputational device.
 4. The method of claim 1, the user input comprisesa linear potentiometer and wherein the user output comprises a separatedisplay unit.
 5. The method of claim 4, wherein the linear potentiometeris at least one of a resistive and capacitive linear potentiometer andwherein the user output comprises an LED display.
 6. The method of claim1, wherein the second data value corresponds to the second input zone ata first instance, the method further comprising: detecting, at a secondinstance after the first instance, user engagement of the user input atthe second input zone of the user input; determining a third data valuecorresponding to the second input zone at the second instance;displaying the third data value to the user via the user output;determining that, at the second instance, the user has disengaged theuser input at the second input zone; and in response to determiningthat, at the second instance, the user has disengaged the user input atthe second input zone, conditioning the third data value as input datafor the computational device.
 7. The method of claim 6, wherein thesecond and third data values are combined as a string input.
 8. Themethod of claim 6, wherein a size of the second input zone is smaller orlarger at the first instance than at the second instance.
 9. The methodof claim 1, wherein the user input comprises a touch pad configured todetect and process multiple simultaneous engagements of the user input.10. The method of claim 9, wherein the first input zone comprises apinch zone defined by a distance between two simultaneous userengagements of the user input.
 11. The method of claim 1, wherein theuser output is configured to substantially prevent off-axis viewing ofthe user output.
 12. The method of claim 11, wherein the user outputcomprises a privacy shielding material or louvers.
 13. The method ofclaim 1, further comprising: determining, for the user engagement of thefirst input zone, a first value of a user input parameter of interest;determining, for the user engagement of the second input zone, a secondvalue of the user input parameter of interest; and determining anaverage value of the user input parameter of interest based, at least inpart, on the first and second values of the user input parameter ofinterest.
 14. A computer-readable medium comprising processor-executableinstructions that, when executed by a processor of the computationaldevice, perform the method of claim
 1. 15. A computational device,comprising: a user interface including a user input portion and a useroutput portion; and instructions configured to detect user engagement ofthe user input portion at a first input zone, determine a first datavalue corresponding to the first input zone, cause the first data valueto be displayed via the user output portion, detect user engagement ofthe user input portion at a second input zone, determine a second datavalue corresponding to the second input zone, cause the second datavalue to be displayed via the user output portion, determine that theuser has disengaged the user input portion at the second input zone, andin response to determining that the user has disengaged the user inputportion at the second input zone, condition the second data value asinput data for the computational device.
 16. The device of claim 15,further comprising a communication interface configured to transmit thesecond data value to a networked device.
 17. The device of claim 15,wherein the user input portion comprises a linear potentiometer.
 18. Thedevice of claim 15, wherein the user input portion comprises an opticalinput.
 19. The device of claim 15, wherein the user input portion isconfigured with a plurality of input zones, wherein data values areassigned to the plurality of input zones at a first instance accordingto a first configuration, wherein data values are assigned to theplurality of input zones at a second instance according to a secondconfiguration, wherein the second instance occurs after the firstinstance, and wherein the first and second configurations are different.20. The device of claim 19, wherein a size of the first input zone inthe first configuration differs from a size of the first input zone inthe second configuration.
 21. The device of claim 15, wherein the useroutput portion is physically separated from the user input portion suchthat the data values displayed via the user output portion are notviewed through the user input portion.